Manage private apps in your Splunk Cloud deployment

Private apps are Splunk apps that are private to your Splunk Cloud deployment. These apps are not publicly available on Splunkbase. Like all Splunk apps, private apps must be approved by Splunk to be installed on your Splunk Cloud deployment. Splunk uses the validation tool AppInspect to determine if apps comply with the security requirements of Splunk Cloud. For information about AppInspect, see Splunk Appinspect tool on the Splunk developer portal.

In Splunk Cloud deployments, you can use Splunk App Management to manage and install private apps. You must be a Splunk Cloud administrator to manage and install private apps in your Splunk Cloud deployment.

Create a private app

Prerequisites

• See the Building Splunk Apps documentation on Splunkbase.
• For information about dependencies, see the Splunk Packaging Toolkit.
• For information about Appinspect, see Splunk AppInspect tool on the Splunk developer portal.
• If your private app uses Python, ensure that you use a supported version. For more details, see the Splunk Cloud section of the Python 3 Migration guide.

Steps

1. Create an app that conforms to Splunk app standards and requirements.
2. Make sure the app package does not have any static dependencies, because only dynamic dependencies are supported.
3. Package the app as a .tgz, .spl, .zip or .gz file. Keep the package size limited to 128MB.
4. Run the app through AppInspect and make sure it passes all app validation checks.

The file is ready to be installed on your Splunk Cloud deployment. You install and manage your private app yourself.

Upload and manage private apps in Splunk Cloud

In a Splunk Cloud deployment, you can upload, install, update, and view reports for your private apps.

Upload a private app

1. In Splunk Web, click the Apps gear.
2. Click the Uploaded Apps tab.
3. Click Upload App.
4. Enter your splunk.com credentials. These credentials are used to authenticate with AppInspect.
5. Select the consent check box and click Login.
6. Select the private app package that you created.
7. Click Upload.

This uploaded package is private to your Splunk Cloud deployment. It is stored in your Splunk Cloud deployment and not on Splunkbase.

When the package is uploaded successfully, it appears in the table on the Uploaded Apps page. The app name and version appear only when the package passes all AppInspect checks and is approved.

The Uploaded Apps table provides the following information:

Status

Based on the result of the app validation process, status can be one of the following:

• Vetting – Package is in the validation process.
• Approved – Package has passed all AppInspect checks or you have chosen to acknowledge the Splunk General Terms regarding potential impact of known issues and proceeded to allow installation.
• Installed – Package is installed on your Splunk Cloud deployment.
• Rejected – Package did not pass AppInspect checks. Issues must be addressed before installation in Splunk Cloud. Click View Report to see failures or issues.
• Failed message – Package validation did not complete due to some issues, for example, issues with the AppInspect service. Click More Info to find out why the package failed validation.

Install a private app

1. Use the Uploaded Apps table to verify that the status of your package is Approved. Your package must be approved before you can install it.
2. Click Install to install your private app.
3. Click the Apps tab to see that your private app is listed in the Apps table. You can also see that the value for App Origin is Uploaded.

Update a private app

1. If you are installing an earlier version, uninstall the currently installed app.
2. Upload your private app.
3. Verify that the app status is Approved in the Uploaded Apps table.
4. Click Install to install an earlier version. Click Update to replace an installed app with a later version.
5. Go to the Apps tab to see that the later version of your private app is listed in the Apps table.

View Report of a private app

1. Click View Report to see the AppInspect report for your package.
2. Use this report to find out why AppInspect rejected the package.
3. Make the required changes to the package and try uploading again.

Configuration file reload triggers in app.conf

Splunk apps can contain a combination of Splunk Enterprise core configuration files and custom configuration files, such as those created by app developers for both private apps and public apps on Splunkbase. Whether these configuration files reload when you install an app or make configuration changes depends on reload trigger settings in app.conf.

Many Splunk Enterprise core configuration files reload by default on app installation or when configuration updates occur. These files have a reload setting under the [triggers] stanza in $SPLUNK_HOME/etc/system/default/app.conf, which causes them to reload automatically.

A custom configuration file is by definition any configuration file that does not have a corresponding .spec file in $SPLUNK_HOME/etc/system/README. This includes custom configuration files found in third party apps, for example aws_settings.conf, service_now.conf, eventgen.conf, and so on.

All custom configuration files reload by default, unless the file has a custom reload trigger in app.conf. For example, in the Splunk Security Essentials app, app.conf contains the following custom reload trigger: reload.ssenav = http_get /SSEResetLocalNav. When you install an app or update configurations for an app that includes one or more custom reload triggers, Splunk software honors those custom reload trigger settings. If a custom reload trigger in app.conf fails, a rolling restart occurs instead. If a custom configuration file does not have a reload trigger specified in app.conf then that configuration file is ignored and no restart occurs.

For detailed information on how to configure reload trigger settings for configuration files, see app.conf in the Admin Manual.

For more information on restart vs. reload behavior of Splunk Enterprise core configuration files, see Restart or reload after configuration bundle push? in the Splunk Enterprise documentation.

Stanza-level reload triggers for inputs.conf

Stanza-level reload triggers enable the reload of only those specific configuration file stanzas that change when a configuration update occurs. This lets admins perform more efficient configuration updates based on which stanzas in the configuration file will change.

Stanza-level reload currently applies to a subset of stanzas in inputs.conf only. Any inputs.conf stanza that has a reload.<conf_file_name>.<conf_stanza_prefix> entry under the [triggers] stanza in app.conf will reload when changes are made to the specified stanza. Changes made to any inputs.conf stanzas that are not specified in a stanza-level reload entry will trigger a rolling restart.

Stanza-level reload for inputs.conf applies only when pushing changes to the configuration bundle in the indexer clustering context.

The following stanzas are reloadable in inputs.conf:

For detailed information on stanza-level reload triggers, see app.conf. in the Splunk Enterprise documentation.

Disable reload triggers in app.conf

You can disable both .conf-level reload triggers and stanza-level reload triggers by specifying the value never for any reload trigger entry in app.conf. Any reload trigger entry with a value of never will trigger a rolling restart when configuration changes occur. This can be useful if for any reason you want a specific configuration change to trigger a rolling restart.

For more information on configuring reload triggers, see app.conf. in the Splunk Enterprise documentation.

For a listing of restart vs. reload behavior of frequently used apps and configuration files in Splunk Cloud, see Restart vs. reload behavior of common apps and .conf files.